Users of the Netdot network management software ()

Valentin Bud | 9 Feb 2012 20:59

nginx reverse proxy in front of netdot

Hello Community,

I have installed netdot, v0.9.10, following the online manual. Everything is working. I have a few other services running on that box

and I have configured nginx to proxy to Apache2 which listens on localhost only, on 8080 port.

All other services work ok but netdot throws out a 403 HTTP Error - Access to the webpage was denied. Do you know does this

happen? I have switched Apache2 to listen on the external interface (eth0) on port 8080 and it works as it should.

Follows the nginx configuration pertaining netdot:

location /netdot/ {

proxy_pass http://localhost:8080/netdot/;

proxy_redirect off;

proxy_set_header Host localhost;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

include /etc/nginx/conf.d/proxy.options;

}

Has anybody encountered this kind of issue. Do you know how can I solve it?

Thank you and a wonderful day to everybody,

Valentin Bud

--
w: http://databus.ro/blog

in: http://www.linkedin.com/pub/valentin-bud/9/881/830

t: https://twitter.com/valentinbud

<div>
<p>Hello Community,</p>
<div><br></div>
<div>I have installed netdot, v0.9.10,&nbsp;following the online manual. Everything is working. I have a few other services running on that box</div>
<div>and I have configured nginx to proxy to Apache2 which listens on localhost only, on 8080 port.</div>

<div><br></div>
<div>All other services work ok but netdot throws out a 403 HTTP Error - Access to the webpage was denied. Do you know does this</div>
<div>happen? I have switched Apache2 to listen on the external interface (eth0) on port 8080 and it works as it should.</div>

<div><br></div>
<div>Follows the nginx configuration pertaining netdot:</div>
<div>
<div>location /netdot/ {</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; proxy_pass &nbsp; &nbsp; &nbsp; &nbsp; <a href="http://localhost:8080/netdot/">http://localhost:8080/netdot/</a>;</div>

<div>&nbsp; &nbsp; &nbsp; &nbsp; proxy_redirect &nbsp; &nbsp; off;</div>
<div><br></div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; proxy_set_header &nbsp; Host &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; localhost;</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; proxy_set_header &nbsp; X-Real-IP &nbsp; &nbsp; &nbsp; &nbsp;$remote_addr;</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; proxy_set_header &nbsp; X-Forwarded-For &nbsp;$proxy_add_x_forwarded_for;</div>

<div><br></div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; include &nbsp; &nbsp; &nbsp; &nbsp; /etc/nginx/conf.d/proxy.options;</div>
<div>&nbsp; &nbsp; }</div>
</div>
<div><br></div>
<div>Has anybody encountered this kind of issue. Do you know how can I solve it?</div>
<div><br></div>
<div>
Thank you and a wonderful day to everybody,</div>
<div>Valentin Bud</div>
<div>-- <br>w: <a href="http://databus.ro/blog" target="_blank">http://databus.ro/blog</a><div>in:&nbsp;<a href="http://www.linkedin.com/pub/valentin-bud/9/881/830" target="_blank">http://www.linkedin.com/pub/valentin-bud/9/881/830</a>
</div>

<div>t:&nbsp;<a href="https://twitter.com/valentinbud" target="_blank">https://twitter.com/valentinbud</a>
</div>
<br>
</div>
</div>

headers

Valentin Bud | 9 Feb 2012 21:13

Hook to restart bind after export

Hello Community,

Is there some kind of a hook so I can restart Bind after I hit export in the web interface? If there not

such a thing, could be it be easy to implement it. I now I can make a script and run it from cron

but that would activate the new bind config after 1 minute only. If there is a hook that would activate

the new configuration instantly.

Better, how do you people deal with this? Thank you for insights and suggestions.

Have a wonderful day,

Valentin Bud

--
w: http://databus.ro/blog

in: http://www.linkedin.com/pub/valentin-bud/9/881/830

t: https://twitter.com/valentinbud

<div>
<p>Hello Community,</p>
<div><br></div>
<div>Is there some kind of a hook so I can restart Bind after I hit export in the web interface? If there not</div>
<div>such a thing, could be it be easy to implement it. I now I can make a script and run it from cron</div>

<div>but that would activate the new bind config after 1 minute only. If there is a hook that would activate</div>
<div>the new configuration instantly.</div>
<div><br></div>
<div>Better, how do you people deal with this? Thank you for insights and suggestions.</div>

<div><br></div>
<div>Have a wonderful day,</div>
<div>Valentin Bud<br clear="all"><div><br></div>-- <br>w: <a href="http://databus.ro/blog" target="_blank">http://databus.ro/blog</a><div>in:&nbsp;<a href="http://www.linkedin.com/pub/valentin-bud/9/881/830" target="_blank">http://www.linkedin.com/pub/valentin-bud/9/881/830</a>
</div>

<div>t:&nbsp;<a href="https://twitter.com/valentinbud" target="_blank">https://twitter.com/valentinbud</a>
</div>
<br>
</div>
</div>

headers

Vincent Magnin | 10 Feb 2012 14:17

Re: Hook to restart bind after export

Dear Valentin,

> Is there some kind of a hook so I can restart Bind after I hit export in
> the web interface?

On my server, I've writen a small patch for this purpose... Look at  
the file attached.

This patch uses scp/ssh to copy the zone file to the nameserver. You  
just have to configure your SSH to allow such command.

Regards,

Vincent

Attachment (netdot-0.9.patch): text/x-patch, 1222 bytes

Dear Valentin,

> Is there some kind of a hook so I can restart Bind after I hit export in
> the web interface?

On my server, I've writen a small patch for this purpose... Look at  
the file attached.

This patch uses scp/ssh to copy the zone file to the nameserver. You  
just have to configure your SSH to allow such command.

Regards,

Vincent

headers

William Bulley | 21 Feb 2012 19:11

DiScOvErY vs dIsCoVeRy

I learned a painful lesson last month.  I wanted to add some 23 devices
whose DNS names and SNMP community strings I knew.  I placed these items
in a file and used the "-E" flag to bin/updatedevices.pl and waited for
it to "discover" these devices and place them into NETDOT's database.

This was using 0.9.10 on a fairly hefty Dell 1U server.  It took over
four (4!) hours.   Some wait that was!  

Carlos suggested I clear the ADD_UNKNOWN_DP_DEVS flag which had been
configured to "one" in my etc/Site.conf file.

After making this configuration change, the same "discovery" process
took a bit more than four (4!) minutes.   

Here is my quandry: I clearly don't want the discovery process to get
carried away searching the entire network here at Michigan.   

But it would be nice to somehow tell bin/updatedevices.pl (and hence
Device.pm and SNMP::Info underneath the hood) to "prune" or "truncate"
the discovery process so that I would learn at the very least the DNS
name of any device connected to each interface on a "discovered device".

I don't see any way to do this.  It is either all or nothing with respect
to discovery.  I am thinking along the lines of the "-depth" or "-prune"
options to the standard Unix find(1) command.  In this fashion, I could
select a depth of +1, say, and have bin/updatedevices.pl gently query any
devices found attached to the interfaces of a fully discovered device.
But only the names (say) of those devices and nothing more, certainly
nothing attached to the interfaces of those first layer attached devices.

Is this a clear description of what I'm trying to accomplish?  Is this a
possibility?  Is this feasible?  Is this desireable?  Thanks for reading.

Regards,

web...

--

-- 
William Bulley                     Email: web@...

72 characters width template ----------------------------------------->|

headers

Carlos Vicente | 21 Feb 2012 21:28

Re: DiScOvErY vs dIsCoVeRy

Hi web,

On 2/21/12 1:11 PM, William Bulley wrote:
> I learned a painful lesson last month.  I wanted to add some 23 devices
> whose DNS names and SNMP community strings I knew.  I placed these items
> in a file and used the "-E" flag to bin/updatedevices.pl and waited for
> it to "discover" these devices and place them into NETDOT's database.
> 
> This was using 0.9.10 on a fairly hefty Dell 1U server.  It took over
> four (4!) hours.   Some wait that was!  
> 
> Carlos suggested I clear the ADD_UNKNOWN_DP_DEVS flag which had been
> configured to "one" in my etc/Site.conf file.
> 
> After making this configuration change, the same "discovery" process
> took a bit more than four (4!) minutes.   
> 
> Here is my quandry: I clearly don't want the discovery process to get
> carried away searching the entire network here at Michigan.   
> 
> But it would be nice to somehow tell bin/updatedevices.pl (and hence
> Device.pm and SNMP::Info underneath the hood) to "prune" or "truncate"
> the discovery process so that I would learn at the very least the DNS
> name of any device connected to each interface on a "discovered device".
> 
> I don't see any way to do this.  It is either all or nothing with respect
> to discovery.  I am thinking along the lines of the "-depth" or "-prune"
> options to the standard Unix find(1) command.  In this fashion, I could
> select a depth of +1, say, and have bin/updatedevices.pl gently query any
> devices found attached to the interfaces of a fully discovered device.
> But only the names (say) of those devices and nothing more, certainly
> nothing attached to the interfaces of those first layer attached devices.
> 
> Is this a clear description of what I'm trying to accomplish?  Is this a
> possibility?  Is this feasible?  Is this desireable?  Thanks for reading.
> 

I understand the problem. There are two places where Netdot 0.9.10 is
discovering neighbors with bin/updatedevices.pl:

a) During regular device discovery (option -I)
b) During topology discovery (option -T)

I decided that a) was a bit problematic, so I have removed that from the
code in the master repo (for v1.0)

During topology discovery (-T) you have more control because the code
goes one layer each time (depth=1). If you use the --recursive
parameter, then it will go all the way (depth=infinity)

That said, notice that CDP/LLDP information is stored in the interface
table whether you choose to "discover" unknown devices (aka create them
as devices in Netdot) or not. The information is a combination of MAC,
IP address and/or device name. It sounds like that may be sufficient for
you.

In terms of v1.0 release, we're working really hard to push a
(candidate) release by the end of February or early March.

Regards,

--

-- 
cv

headers

Brett Thomson | 21 Feb 2012 22:56

Re: Juniper hardware inventory

Carlos Vicente <cvicente <at> ...> writes:

> 
> On 1/7/12 1:32 PM, Alexander Bochmann wrote:
> > Hi,
> > 
> > ...on Thu, Jan 05, 2012 at 02:44:10PM +0100, Alexander Bochmann wrote:
> > 
> >  > For Cisco/Alcatel/HP switches, netdot shows module information. 
> >  > There's none for the Juniper systems I added, though. 
> > 
> > There's also another more significant error I didn't see at first: VLAN 
> > information read from Juniper EX switches is wrong (SNMP::Info currently 
> > gets an vlan index from those systems, not the vlan ID).
> > 
> > Someone already wrote a JuniperEX.pm to solve that particular problem, 
> > available as patch #3323842 on the SNMP::Info bugtracker, http://goo.gl/W0iQx
> > 
> > The JUNIPER-VLAN-MIB attached to that entry depends on other mibs that 
> > aren't in the distribution though, so anyone using this patch will 
> > best download a current set of mibs from the Juniper web site.
> > 
> > I'll try to expand that JuniperEX.pm to provide module information too.
> > 
> > Alex.
> > 
> 
> Sounds good. Once you believe it's ready, I can try to push it for the
> next SNMP::Info release.
> 

Tried your Juniper VLAN fix Alex - Thanks for that, it worked a treat  

I too am having issues with getting module information (output from 'sh chassis
hardware')

Our network is pretty much all Juniper, so having the ability to fully document
each device would be very useful. 

How are you coming along with your fix? I would love to know when you have
something.

btw,  have you seen that the snmp implementation on the MX80's is a bit broken?
 I have a JTAC case open, but being snmp, I dont hold much hope for a speedy
resolution.

Carlos - awesome tool!!! Keep up the good work

headers

Valentin Bud | 22 Feb 2012 07:57

SSHFP Resource Record

Hello Community,

Would it be hard to add SSHFP records to be managed by netdot? I am no programmer but I would give it a

try if you tell me where to start.

Thank you. Have a wonderful day,

Vale

--
w: http://databus.ro/blog

in: http://www.linkedin.com/pub/valentin-bud/9/881/830

t: https://twitter.com/valentinbud

<div>
<p>Hello Community,</p>
<div><br></div>
<div>Would it be hard to add SSHFP records to be managed by netdot? I am no programmer but I would give it a&nbsp;</div>
<div>try if you tell me where to start.</div>
<div>
<br>Thank you. Have a wonderful day,</div>

<div>Vale<br clear="all"><div><br></div>-- <br>w: <a href="http://databus.ro/blog" target="_blank">http://databus.ro/blog</a><div>in:&nbsp;<a href="http://www.linkedin.com/pub/valentin-bud/9/881/830" target="_blank">http://www.linkedin.com/pub/valentin-bud/9/881/830</a>
</div>

<div>t:&nbsp;<a href="https://twitter.com/valentinbud" target="_blank">https://twitter.com/valentinbud</a>
</div>
<br>
</div>
</div>

headers

William Bulley | 22 Feb 2012 13:37

Re: DiScOvErY vs dIsCoVeRy

According to Carlos Vicente <cvicente@...> on Tue, 02/21/12 at 15:28:
> 
> I understand the problem. There are two places where Netdot 0.9.10 is
> discovering neighbors with bin/updatedevices.pl:
> 
> a) During regular device discovery (option -I)
> b) During topology discovery (option -T)
> 
> I decided that a) was a bit problematic, so I have removed that from the
> code in the master repo (for v1.0)
> 
> During topology discovery (-T) you have more control because the code
> goes one layer each time (depth=1). If you use the --recursive
> parameter, then it will go all the way (depth=infinity)
> 
> That said, notice that CDP/LLDP information is stored in the interface
> table whether you choose to "discover" unknown devices (aka create them
> as devices in Netdot) or not. The information is a combination of MAC,
> IP address and/or device name. It sounds like that may be sufficient for
> you.
> 
> In terms of v1.0 release, we're working really hard to push a
> (candidate) release by the end of February or early March.

Thank you very much for that clear and concise answer.   

Regards,

web...

--

-- 
William Bulley                     Email: web@...

72 characters width template ----------------------------------------->|

headers

Brett Thomson | 23 Feb 2012 22:37

Extreme XOS Switches

Hi All,

Having problems getting all info out of XOS switches. 
Works fine with ExtremeWare OS switches.

With XOS switches, I do not get any module or Vlan tag information.

The module stuff appears to break at the load_attr stage...

SNMP::Info::_load_attr e_name : entPhysicalName
SNMP::Info::_load_atrr: BULKWALK Timeout at
/usr/local/netdot/lib/Netdot/Model/Device.pm line 666
SNMP::Info::_load_attr e_class : entPhysicalClass
SNMP::Info::_load_atrr: BULKWALK Timeout at
/usr/local/netdot/lib/Netdot/Model/Device.pm line 666
SNMP::Info::_load_attr e_pos : entPhysicalParentRelPos
SNMP::Info::_load_atrr: BULKWALK Timeout at
/usr/local/netdot/lib/Netdot/Model/Device.pm line 666
SNMP::Info::_load_attr e_descr : entPhysicalDescr

The VLAN TAG info appears to discover OK, but when it comes to inserting the
interfaces into the DB, it does not seem to associate VLAN interfaces, Tags and
Ports together.

Has anyone else seen this, and if so, does anyone have a fix for it?

thanks
BT

headers

Joe Goldberg | 2 Mar 2012 15:57

Installation Permissions Issue

After playing with the VM version of NetDot, we decided to put it on a dedicated machine running CentOS 6.2.

I have all the dependencies installed and the NetDot installed without issue.  I'm sure this is something
simple I am overlooking but I would appreciate any insight you may have.

When I try to hit the web page though I am getting:
Forbidden
You don't have permission to access /netdot/ on this server.
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to
handle the request.
Apache/2.2.15 (CentOS) Server at 10.5.4.46 Port 80

In the Apache error log I am seeing:
[Fri Mar 02 04:50:24 2012] [error] ses_key_cookie 
[Fri Mar 02 04:50:24 2012] [error] [client 10.5.4.45] failed to resolve handler `Netdot::Mason': Can't
locate Netdot/Mason.pm in  <at> INC ( <at> INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5
/usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .
/etc/httpd) at (eval 61) line 3.\n
[Fri Mar 02 04:50:24 2012] [error] [client 10.5.4.45] File does not exist: /var/www/html/favicon.ico

Thanks,
Joe

11	May 2013
8	April 2013
14	March 2013
22	February 2013
18	January 2013
40	December 2012
45	November 2012
36	October 2012
69	September 2012
68	August 2012
46	July 2012
24	June 2012
16	May 2012
6	April 2012
27	March 2012
9	February 2012
36	January 2012
16	December 2011
28	November 2011
43	October 2011
76	September 2011
21	August 2011
19	July 2011
38	June 2011
18	May 2011
46	April 2011

Mon	Tue	Wed	Thu	Fri	Sat	Sun

		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29